Re: netlogon error
From: Brown (fbrown_at_mta-inc.com)
Date: 01/07/05
- Next message: Clayton Sutton: "mmc snap-in question"
- Previous message: Brown: "Re: netlogon error"
- In reply to: Roger Abell [MVP]: "Re: netlogon error"
- Next in thread: Roger Abell: "Re: netlogon error"
- Reply: Roger Abell: "Re: netlogon error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 Jan 2005 14:31:21 -0600
In the DNSMGNT console on the SBS box, all entries in the forward lookup
zone for the non-SBS box are identicle to the entries in the forward lookup
zone on the SBS box.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:O9aGyKP9EHA.2196@TK2MSFTNGP11.phx.gbl...
> <quote>
> There is a netlogon.dns file deposited in the config folder in
> system32 on DCs, and these are unique toeach DC. The
> records that are recorded there in the nonSBSare what
> should now exist in the DNS on the SBS machine.
> </quote>
> If those records do not exist in the SBS DNS forward zones
> then the KCC (algoritm that generates the replication paths)
> will not be able to do its job.
>
> If you look in the Sites and Domains and drill in and do see
> that NTDS settings for the nonSBS does have replication links
> defined, then it is doing its job. If not, it may be that these DNS
> records did not get registered.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Brown" <fbrown@mta-inc.com> wrote in message
> news:u3SC12M9EHA.960@TK2MSFTNGP11.phx.gbl...
> > OK, I launch the dnsmgmt console on the SBS box.
> > Under the SBS > Forward Lookup Zones > in the MTA-Inc.local folder, the
> > non-SBS box is listed.
> > I located the netlogon.dns file in windows\system32\config on the SBS
box.
> > Last modified 0718 this AM. (I had to stop and restart the box to
replace
> > a
> > faulty UPS this AM)
> > On the non-SBS box, same place last update 1356 yesterday (restart time)
> > Brown
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:OLyR5bM9EHA.4072@TK2MSFTNGP10.phx.gbl...
> >> Those messages when launching those tools on the nonSBS
> >> seems to indicate that the AD initial replication into it still
> >> has not happened.
> >>
> >> There is no software firewall configured on the SBS, right?
> >>
> >> You have not yet mentioned whether after yesterday morning
> >> when the DNS config of the nonSBS was changed, is the nonSBS
> >> now showing in the forward lookup zones when viewed in the
> >> SBS DNS mgmt UI. There is a netlogon.dns file deposited in
> >> the config folder in system32 on DCs, and these are unique to
> >> each DC. The records that are recorded there in the nonSBS
> >> are what should now exist in the DNS on the SBS machine.
> >>
> >> If you run Sites and Services on the SBS and drill in do you
> >> also see the nonSBS there? If so, do you see under its NTDS
> >> settings that there are replication links defined to it?
> >>
> >> --
> >> Roger
> >> "Brown" <fbrown@mta-inc.com> wrote in message
> >> news:ezfFk2L9EHA.1524@TK2MSFTNGP09.phx.gbl...
> >> > The non-SBS does appear in the Domain Controllers OU on the SBS box.
> > With
> >> > the changes I have made in the last couple of days, when I launch AD
> > Users
> >> &
> >> > Computers on the non-SBS I get an error that states
> >> > "Naming information cannot be located becuase:
> >> > The target principal name is incorrect.
> >> > Contact your system administrator to verify that your domain is
> >> > properly
> >> > configured and is currently online."
> >> > Same message for AD Site & Services.
> >> > AD Domains & Trust gives the message
> >> > "The configuration information describing this enterprise is not
> >> available.
> >> > The target principal name is incorrect."
> >> >
> >> > It looks like something is not pointing to the right place, but I
have
> > no
> >> > clue.
> >> >
> >> > Brown
> >> >
> >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> > news:Ow#phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
> >> > > After the reboot, or also after waiting a while ?
> >> > > The replication does not complete instantly.
> >> > >
> >> > > When you use AD Users and Computers on the SBS do
> >> > > you see the W2k3 listed in the Domain Controllers OU ?
> >> > > It is starting to sound like it is not going to be there (meaning
> >> > > that the W2k3 believes it is supposed to be a DC but the SBS
> >> > > does not - something I can't understand happening except maybe
> >> > > if during dcpromo NetBios based RPC communications is
> >> > > interrupted early in the promo but is OK at the very start)
> >> > >
> >> > > --
> >> > > Roger
> >> > > "Brown" <fbrown@knology.net> wrote in message
> >> > > news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
> >> > > > After the restart on the nonSBS machine this morning, when I open
> >> Active
> >> > > > Directory Users and Computers I indicates that AD is not running.
> >> > > >
> >> > > > Brown
> >> > > >
> >> > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> >> > > > news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
> >> > > > > Those message are not unexpected the first time around, because
> >> > > > > the new DC has not yet completed its initial sync with the
> > existing
> >> > AD,
> >> > > > > and so does not have its own copy (which it was trying to
> >> > > > > access).
> >> > > > > One would expect those to go away in the future as when the DNS
> >> > > > > server code fires up it then will find the AD content it is
> >> > complaining
> >> > > > > about not finding now.
> >> > > > >
> >> > > > > The issue is, do we have a functioning DC that does have
> > replication
> >> > > > > established with the SBS DC ?
> >> > > > >
> >> > > > > At a cmd prompt run replmon and connect to the two DCs and
drill
> >> > > > > into the defined replications to see if things seem to be
> > happening.
> >> > > > > Alternatively, on the nonSBS run AD Users and Computers, use
the
> >> > > > > properties to make sure that you are focused on the nonSBS
> >> > > > > machine
> >> > > > > and the domain controller the tool is speaking with, and then
> > click
> >> > > > > around and see if it looks the same as when the tool is
connected
> >> > > > > to AD on the SBS machine.
> >> > > > >
> >> > > > > --
> >> > > > > Roger Abell
> >> > > > > Microsoft MVP (Windows Server System: Security)
> >> > > > > MCDBA, MCSE W2k3+W2k+Nt4
> >> > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> >> > > > > news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
> >> > > > >> OK, Got through the steps and restarted. In the dnsmgmt
console
> > on
> >> > the
> >> > > > >> Win2K3, got a warning:
> >> > > > >> Event Type: Warning
> >> > > > >> Event Source: DNS
> >> > > > >> Event Category: None
> >> > > > >> Event ID: 4013
> >> > > > >> Date: 1/6/2005
> >> > > > >> Time: 9:40:16 AM
> >> > > > >> User: N/A
> >> > > > >> Computer: MTA-SERVER02
> >> > > > >> Description:
> >> > > > >> The DNS server was unable to open the Active Directory. This
> >> > > > >> DNS
> >> > > server
> >> > > > >> is
> >> > > > >> configured to use directory service information and can not
> > operate
> >> > > > >> without
> >> > > > >> access to the directory. The DNS server will wait for the
> >> directory
> >> > to
> >> > > > >> start. If the DNS server is started but the appropriate event
> > has
> >> > not
> >> > > > >> been
> >> > > > >> logged, then the DNS server is still waiting for the directory
> >> > > > >> to
> >> > > start.
> >> > > > >>
> >> > > > >> For more information, see Help and Support Center at
> >> > > > >> http://go.microsoft.com/fwlink/events.asp.
> >> > > > >> Data:
> >> > > > >> 0000: 2d 23 00 00 -#..
> >> > > > >> -------
> >> > > > >> Then got an error:
> >> > > > >> Event Type: Error
> >> > > > >> Event Source: DNS
> >> > > > >> Event Category: None
> >> > > > >> Event ID: 4000
> >> > > > >> Date: 1/6/2005
> >> > > > >> Time: 9:40:16 AM
> >> > > > >> User: N/A
> >> > > > >> Computer: MTA-SERVER02
> >> > > > >> Description:
> >> > > > >> The DNS server was unable to open Active Directory. This DNS
> >> server
> >> > is
> >> > > > >> configured to obtain and use information from the directory
for
> >> this
> >> > > zone
> >> > > > >> and is unable to load the zone without it. Check that the
> >> > > > >> Active
> >> > > > >> Directory
> >> > > > >> is functioning properly and reload the zone. The event data is
> > the
> >> > > error
> >> > > > >> code.
> >> > > > >>
> >> > > > >> For more information, see Help and Support Center at
> >> > > > >> http://go.microsoft.com/fwlink/events.asp.
> >> > > > >> Data:
> >> > > > >> 0000: 2d 23 00 00 -#..
> >> > > > >>
> >> > > > >> Brown
> >> > > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> > > > >> news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
> >> > > > >>> On the nonSBS mta-server02 try reversing these DNS
> >> > > > >>> server settings in its Tcp/Ip properties
> >> > > > >>> DNS Servers . . . . . . . . . . . : 192.168.1.98
> >> > > > >>> 192.168.1.99
> >> > > > >>> so that 1.99 is the first listed DNS server IP
> >> > > > >>> (assuming 1.99 is the SBS)
> >> > > > >>>
> >> > > > >>> Then on the SBS temporarily change the DNS
> >> > > > >>> forward zone for MTA-inc.local so that it will
> >> > > > >>> allow unsecured dynamic updates instead of only
> >> > > > >>> secured dynamic updates. (This is found in the
> >> > > > >>> r-click properties of the MTA-inc.local forward
> >> > > > >>> zone node - first set focus on the node by clicking
> >> > > > >>> and then r-click into its context menu.)
> >> > > > >>>
> >> > > > >>> Next, on the nonSBS at cmd prompt run these three:
> >> > > > >>> ipconfig /registerdns
> >> > > > >>> net stop netlogon
> >> > > > >>> net start netlogon
> >> > > > >>>
> >> > > > >>> Take a look into the forward zone for MTA-inc.local
> >> > > > >>> in the DNS server on SBS to see if the there are now
> >> > > > >>> DNS records for mta-server02 indicating its 1.98 addy,
> >> > > > >>>
> >> > > > >>> If so, try a reboot of the nonSBS.
> >> > > > >>>
> >> > > > >>> You will need to remember to set the forward zone
> >> > > > >>> back to allowing only secured dynamic updates after
> >> > > > >>> you are done. It would be good to leave both DCs
> >> > > > >>> set with their DNS servers in Tcp/Ip config set so
> >> > > > >>> that they first reference the other and next reference
> >> > > > >>> themselves - however, if doing this then both would
> >> > > > >>> need to be able to get out to the internet DNS servers.
> >> > > > >>>
> >> > > > >>>
> >> > > > >>> --
> >> > > > >>> Roger Abell
> >> > > > >>> Microsoft MVP (Windows Security)
> >> > > > >>> MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > >>> "Brown" <fbrown@mta-inc.com> wrote in message
> >> > > > >>> news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
> >> > > > >>> > Here is the ipconfig:
> >> > > > >>> > Windows IP Configuration
> >> > > > >>> >
> >> > > > >>> > Host Name . . . . . . . . . . . . : mta-server02
> >> > > > >>> >
> >> > > > >>> > Primary Dns Suffix . . . . . . . : MTA-inc.local
> >> > > > >>> >
> >> > > > >>> > Node Type . . . . . . . . . . . . : Broadcast
> >> > > > >>> >
> >> > > > >>> > IP Routing Enabled. . . . . . . . : Yes
> >> > > > >>> >
> >> > > > >>> > WINS Proxy Enabled. . . . . . . . : Yes
> >> > > > >>> >
> >> > > > >>> > DNS Suffix Search List. . . . . . : MTA-inc.local
> >> > > > >>> >
> >> > > > >>> > Ethernet adapter Local Area Connection:
> >> > > > >>> >
> >> > > > >>> > Connection-specific DNS Suffix . :
> >> > > > >>> >
> >> > > > >>> > Description . . . . . . . . . . . : SiS 900-Based PCI Fast
> >> > Ethernet
> >> > > > >>> Adapter
> >> > > > >>> >
> >> > > > >>> > Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
> >> > > > >>> >
> >> > > > >>> > DHCP Enabled. . . . . . . . . . . : No
> >> > > > >>> >
> >> > > > >>> > IP Address. . . . . . . . . . . . : 192.168.1.98
> >> > > > >>> >
> >> > > > >>> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >> > > > >>> >
> >> > > > >>> > Default Gateway . . . . . . . . . : 192.168.1.1
> >> > > > >>> >
> >> > > > >>> > DNS Servers . . . . . . . . . . . : 192.168.1.98
> >> > > > >>> >
> >> > > > >>> > 192.168.1.99
> >> > > > >>> >
> >> > > > >>> > Brown
> >> > > > >>> >
> >> > > > >>> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> > > > >>> > news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
> >> > > > >>> > > It is not unusual for a DC to fail to authenticate when
it
> >> > > > >>> > > has not yet completed becoming a DC.
> >> > > > >>> > > The requested output from
> >> > > > >>> > > ipconfig /all
> >> > > > >>> > > when run on the failing machine would help greatly in
> >> > > > >>> > > understanding from the previously provided netdiag output
> >> > > > >>> > > if there is a simple route to get the initial replication
> >> > > > >>> > > to
> >> > > > >>> > > complete so that the machine can complete its promotion.
> >> > > > >>> > >
> >> > > > >>> > > --
> >> > > > >>> > > Roger Abell
> >> > > > >>> > > Microsoft MVP (Windows Security)
> >> > > > >>> > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > >>> > > "Brown" <fbrown@mta-inc.com> wrote in message
> >> > > > >>> > > news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
> >> > > > >>> > > > In the Event Log I get the folloiwing message:
> >> > > > >>> > > >
> >> > > > >>> > > > Event Type: Warning
> >> > > > >>> > > >
> >> > > > >>> > > > Event Source: LSASRV
> >> > > > >>> > > >
> >> > > > >>> > > > Event Category: SPNEGO (Negotiator)
> >> > > > >>> > > >
> >> > > > >>> > > > Event ID: 40960
> >> > > > >>> > > >
> >> > > > >>> > > > Date: 1/5/2005
> >> > > > >>> > > >
> >> > > > >>> > > > Time: 7:18:18 AM
> >> > > > >>> > > >
> >> > > > >>> > > > User: N/A
> >> > > > >>> > > >
> >> > > > >>> > > > Computer: MTA-SERVER02
> >> > > > >>> > > >
> >> > > > >>> > > > Description:
> >> > > > >>> > > >
> >> > > > >>> > > > The Security System detected an authentication error
for
> > the
> >> > > > >>> > > > server
> >> > > > >>> > > > cifs/mta-main.MTA-inc.local. The failure code from
> >> > > authentication
> >> > > > >>> > protocol
> >> > > > >>> > > > Kerberos was "The attempted logon is invalid. This is
> > either
> >> > due
> >> > > > >>> > > > to
> >> > > > >> a
> >> > > > >>> > bad
> >> > > > >>> > > > username or authentication information.
> >> > > > >>> > > >
> >> > > > >>> > > > (0xc000006d)".
> >> > > > >>> > > >
> >> > > > >>> > > > For more information, see Help and Support Center at
> >> > > > >>> > > > http://go.microsoft.com/fwlink/events.asp.
> >> > > > >>> > > >
> >> > > > >>> > > > Data:
> >> > > > >>> > > >
> >> > > > >>> > > > 0000: 6d 00 00 c0 m..À
> >> > > > >>> > > >
> >> > > > >>> > > > ----------------
> >> > > > >>> > > > Brown
> >> > > > >>> > > >
> >> > > > >>> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> > > > >>> > > > news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
> >> > > > >>> > > > > '192.168.1.99' is IP of the SBS ?
> >> > > > >>> > > > > Can you clarify for me a little just what you meant
by
> >> > > > >>> > > > > > It appears that the name for the Win2K3 on the
SBS2K3
> >> > server
> >> > > > >>> > > > > > is
> >> > > > >>> not
> >> > > > >>> > in
> >> > > > >>> > > > > sync
> >> > > > >>> > > > > > with the name on the Win2k3 server, but I cannot
> > locate
> >> an
> >> > > > >>> occurence
> >> > > > >>> > > > where
> >> > > > >>> > > > > > it is different.
> >> > > > >>> > > > > Names as seen where ?
> >> > > > >>> > > > > Can you post output from running, on the failing W2k3
> >> > (nonSBS)
> >> > > > >>> > > > > ipconfig /all
> >> > > > >>> > > > >
> >> > > > >>> > > > > --
> >> > > > >>> > > > > Roger Abell
> >> > > > >>> > > > > Microsoft MVP (Windows Security)
> >> > > > >>> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > >>> > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> >> > > > >>> > > > > news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
> >> > > > >>> > > > > > OK, I'm back - I have gone through the suggestions
> >> > > > >>> > > > > > and
> >> am
> >> > > > >>> > > > > > still
> >> > > > >> at
> >> > > > >>> a
> >> > > > >>> > > > loss.
> >> > > > >>> > > > > > Netdiag still shows problems on the Win2K3 server:
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > Domain membership test . . . . . . : Failed
> >> > > > >>> > > > > > [WARNING] Ths system volume has not been completely
> >> > > replicated
> >> > > > >> to
> >> > > > >>> > the
> >> > > > >>> > > > > local
> >> > > > >>> > > > > > machine. This machine is not working properly as a
> >> > > > >>> > > > > > DC.
> >> > > > >>> > > > > > ------
> >> > > > >>> > > > > > DNS test . . . . . . . . . . . . . : Failed
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry MTA-inc.local.
> >> > > > >>> re-registeration
> >> > > > >>> > on
> >> > > > >>> > > > DNS
> >> > > > >>> > > > > > server '192.168.1.99' failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > _ldap._tcp.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> > _ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> >> > > > >>> > > > re-registeration
> >> > > > >>> > > > > on
> >> > > > >>> > > > > > DNS server '192.168.1.99' failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> >> > > > >>> > > > >
> >> > > > >>> > > >
> >> > > > >>> > >
> >> > > > >>> >
> >> > > > >>>
> >> > > > >>
> >> > >
> >> >
> >>
> >
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
> >> > > > >>> > > > > > . re-registeration on DNS server '192.168.1.99'
> > failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> >> 67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
> >> > > > >>> > > > > re-registeration
> >> > > > >>> > > > > > on DNS server '192.168.1.99' failed.DNS Error code:
> >> > > 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> > _kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration
> >> on
> >> > > DNS
> >> > > > >>> > server
> >> > > > >>> > > > > > '192.168.1.99' failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> >> > > > >>> >
> >> > >
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > _ldap._tcp.dc._msdcs.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> >> > > > >>
> > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >> _kerberos._tcp.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > >
> >> > _kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >> _kerberos._udp.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > > _kpasswd._tcp.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> >> > > > >>> > > > > > _kpasswd._udp.MTA-inc.local.
> >> > > > >>> > > > > > re-registeration on DNS server '192.168.1.99'
failed.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > DNS Error code: 0x00002339
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] Fix Failed: netdiag failed to re-register
> >> missing
> >> > > DNS
> >> > > > >>> > entries
> >> > > > >>> > > > for
> >> > > > >>> > > > > > this DC on DNS server '192.168.1.99'.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > [FATAL] No DNS servers have the DNS records for
this
> > DC
> >> > > > >>> registered.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > ------
> >> > > > >>> > > > > > DC list test . . . . . . . . . . . : Failed
> >> > > > >>> > > > > > [WARNING] Cannot call DsBind to
> >> > > > >>> > > > > > mta-main.MTA-inc.local
> >> > > > >>> > (192.168.1.99).
> >> > > > >>> > > > > [SEC_
> >> > > > >>> > > > > > E_WRONG_PRINCIPAL]
> >> > > > >>> > > > > > -------
> >> > > > >>> > > > > > Trust relationship test. . . . . . : Failed
> >> > > > >>> > > > > > [WARNING] Don't have access to test your domain sid
> > for
> >> > > domain
> >> > > > >>> > > > 'MTA-INC'.
> >> > > > >>> > > > > > [Test skipped]
> >> > > > >>> > > > > > [FATAL] Secure channel to domain 'MTA-INC' is
broken.
> >> > > > >>> > > > > > [ERROR_NO_TRUST_SAM_ACCOUNT]
> >> > > > >>> > > > > > -----
> >> > > > >>> > > > > > Kerberos test. . . . . . . . . . . : Failed
> >> > > > >>> > > > > > [FATAL] Kerberos does not have a ticket for
> >> > > > >>> > > > > host/mta-server02.MTA-inc.local.
> >> > > > >>> > > > > > -----
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > It appears that the name for the Win2K3 on the
SBS2K3
> >> > server
> >> > > > >>> > > > > > is
> >> > > > >>> not
> >> > > > >>> > in
> >> > > > >>> > > > > sync
> >> > > > >>> > > > > > with the name on the Win2k3 server, but I cannot
> > locate
> >> an
> >> > > > >>> occurence
> >> > > > >>> > > > where
> >> > > > >>> > > > > > it is different.
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > Brown
> >> > > > >>> > > > > >
> >> > > > >>> > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> > > > >>> > > > > > news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
> >> > > > >>> > > > > > > No problem Frank. Let us know if you did not get
> >> > > > >>> > > > > > > fixed up by this.
> >> > > > >>> > > > > > > BTW, if you can remote into the SBS then you
should
> >> > > > >>> > > > > > > be able to open a remote desktop to the W2k3 from
> >> > > > >>> > > > > > > within the SBS. Double remote desktop can be a
> > little
> >> > > > >>> > > > > > > tedious but does work. Also, you can configure
the
> >> > > > >>> > > > > > > SBS to directly mediate remote desktop connection
> >> > > > >>> > > > > > > to any internal machine should you so choose.
> >> > > > >>> > > > > > >
> >> > > > >>> > > > > > > --
> >> > > > >>> > > > > > > Roger Abell
> >> > > > >>> > > > > > > Microsoft MVP (Windows Security)
> >> > > > >>> > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > >>> > > > > > > "Brown" <fbrown@knology.net> wrote in message
> >> > > > >>> > > > > > > news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
> >> > > > >>> > > > > > > > Roger, Thanks for the help. I have run the
> > netdiag
> >> > /fix
> >> > > > >>> > > > > > > > and
> >> > > > >>> it
> >> > > > >>> > > > looks
> >> > > > >>> > > > > > like
> >> > > > >>> > > > > > > > it has cleared up some of the problems. I am
> >> > > > >>> > > > > > > > back
> >> > home
> >> > > > >>> working
> >> > > > >>> > > via
> >> > > > >>> > > > > the
> >> > > > >>> > > > > > > SBS
> >> > > > >>> > > > > > > > remote access. The 2K3 machine is not
available
> >> (part
> >> > > of
> >> > > > >> the
> >> > > > >>> > > > problem)
> >> > > > >>> > > > > > so
> >> > > > >>> > > > > > > I
> >> > > > >>> > > > > > > > will have to try to get back in to the office
to
> > do
> >> > it.
> >> > > I
> >> > > > >>> will
> >> > > > >>> > be
> >> > > > >>> > > > out
> >> > > > >>> > > > > > of
> >> > > > >>> > > > > > > > touch for several days, and may not be able to
> >> > > > >>> > > > > > > > get
> >> > back
> >> > > to
> >> > > > >> it
> >> > > > >>> > > until
> >> > > > >>> > > > > > then.
> >> > > > >>> > > > > > > I
> >> > > > >>> > > > > > > > have your suggestions, and will see if that
takes
> >> care
> >> > > of
> >> > > > >>> > > > > > > > me
> >> > > > >>> > when
> >> > > > >>> > > I
> >> > > > >>> > > > > can
> >> > > > >>> > > > > > > get
> >> > > > >>> > > > > > > > back on the machine.
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > > > I want to make sure you Steven know how much I
> >> > > appreciate
> >> > > > >> your
> >> > > > >>> > > > > patience
> >> > > > >>> > > > > > > and
> >> > > > >>> > > > > > > > assistance.
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > > > Frank Brown
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in
> >> > > > >>> > > > > > > > message
> >> > > > >>> > > > > > > > news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
> >> > > > >>> > > > > > > > > On the SBS first run
> >> > > > >>> > > > > > > > > netdiag /fix
> >> > > > >>> > > > > > > > > Verify that the zones supporting the AD are
> >> > configured
> >> > > > >>> > > > > > > > > for
> >> > > > >>> > > > > > > > > secured dynamic updates allowed. For this,
run
> >> the
> >> > > DNS
> >> > > > >>> > > > > > > > > mgmt UI and highlight each forward zone then
> >> rclick
> >> > > into
> >> > > > >>> > > > > > > > > its properties. They should be AD integrated
> > and
> >> > > > >>> > > > > > > > > allowing
> >> > > > >>> > > > > > > > > secured dynamic updates.
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > > > On the failing W2k3 check that
> >> > > > >>> > > > > > > > > - in tcp/ip settings the DNS server is the
SBS
> >> > machine
> >> > > > >>> > > > > > > > > - in System properties (rclick my computer,
> >> > > properties)
> >> > > > >>> > > > > > > > > the full computer name is correct, right
> > domain
> >> > > > >>> > > > > > > > > at cmd prompt run
> >> > > > >>> > > > > > > > > net stop netlogon
> >> > > > >>> > > > > > > > > net start netlogon
> >> > > > >>> > > > > > > > > then rerun netdiag to see if it is clean.
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > > > Once clean, you will want to install DNS on
the
> >> > > > >>> > > > > > > > > second DC (if not already) and have it host
the
> >> same
> >> > > > >>> > > > > > > > > AD integrated zones as are on the other DNS
> >> service.
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > > > optional/advised:
> >> > > > >>> > > > > > > > > After you have DNS fault tolerance, you
> >> could/should
> >> > > > >>> > > > > > > > > configure each DC to point first to the other
> > and
> >> > then
> >> > > > >>> > > > > > > > > to itself for DNS services in the Tcp/Ip
> >> > > > >>> > > > > > > > > config.
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > > > --
> >> > > > >>> > > > > > > > > Roger Abell
> >> > > > >>> > > > > > > > > Microsoft MVP (Windows Security)
> >> > > > >>> > > > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > >>> > > > > > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> >> > > > >>> > > > > > > > > news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
> >> > > > >>> > > > > > > > >> OK, I ran dcdiag and netdiag on the 2K3
> >> > > > >>> > > > > > > > >> machine
> >> > > errors
> >> > > > >>> > > > abound ----
> >> > > > >>> > > > > > > > >> First: dcdiag > "Although the Guid name
> > <string
> >> of
> >> > > > >>> > > > > > > > >> stuff
> >> > > > >>> > here>
> >> > > > >>> > > > > > > couldn't
> >> > > > >>> > > > > > > > > be
> >> > > > >>> > > > > > > > >> resolved, the server name
> > (server02.domain.local)
> >> > > > >> resolved
> >> > > > >>> to
> >> > > > >>> > > the
> >> > > > >>> > > > > IP
> >> > > > >>> > > > > > > > > address
> >> > > > >>> > > > > > > > >> (192.168.1.98) and was pingable. Check that
> > the
> >> IP
> >> > > > >> address
> >> > > > >>> > is
> >> > > > >>> > > > > > > registered
> >> > > > >>> > > > > > > > >> correctly with the DNS Server."
> >> > > > >>> > > > > > > > >> The other tests in dcdiag passed
> >> > > > >>> > > > > > > > >> Then: netdiag:> Domain membership test:
Failed
> >> > > > >>> > > > > > > > >> "[WARNING]
> >> > > > >>> The
> >> > > > >>> > > > > system
> >> > > > >>> > > > > > > > >> volumehas not been completely replicated to
> > the
> >> > > local
> >> > > > >>> > machine.
> >> > > > >>> > > > > This
> >> > > > >>> > > > > > > > >> machine is not working properly as a DC."
> >> > > > >>> > > > > > > > >> DC test: failed "[WARNING] The DNS entries
> >> > > > >>> > > > > > > > >> for
> >> > this
> >> > > DC
> >> > > > >> are
> >> > > > >>> > not
> >> > > > >>> > > > > > > > >> registered
> >> > > > >>> > > > > > > > >> correctly on the DNS server '192.168.1.99'.
> >> Please
> >> > > > >>> > > > > > > > >> wait
> >> > > > >>> for
> >> > > > >>> > 30
> >> > > > >>> > > > > > minutes
> >> > > > >>> > > > > > > > > for
> >> > > > >>> > > > > > > > >> DNS serfver replication. [FATAL] No DNS
> > servers
> >> > have
> >> > > > >>> > > > > > > > >> the
> >> > > > >>> DNS
> >> > > > >>> > > > > records
> >> > > > >>> > > > > > > for
> >> > > > >>> > > > > > > > >> this DC registered."
> >> > > > >>> > > > > > > > >> DC list test: Failed [WARNING] Cannot call
> > DsBind
> >> > to
> >> > > > >>> > > > > > main.domain.local
> >> > > > >>> > > > > > > > >> (192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
> >> > > > >>> > > > > > > > >> Trust Relationship test: Failed ....
> >> > > > >>> > > > > > > > >> Kerberos test: Failed........
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >> OK, HELP!! Where do I start??
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >> Brown
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in
> >> message
> >> > > > >>> > > > > > > > >>
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
> >> > > > >>> > > > > > > > >> > and netdiag and dcdiag have told you . .
.
> > ?
> >> > > > >>> > > > > > > > >> >
> >> > > > >>> > > > > > > > >> > --
> >> > > > >>> > > > > > > > >> > Roger
> >> > > > >>> > > > > > > > >> > "Brown" <fbrown@knology.net> wrote in
> >> > > > >>> > > > > > > > >> > message
> >> > > > >>> > > > > > > > >> >
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
> >> > > > >>> > > > > > > > >> > > The SBS machine has 2 NICs but only one
is
> >> > > active.
> >> > > > >> The
> >> > > > >>> > > Win2K3
> >> > > > >>> > > > > has
> >> > > > >>> > > > > > > one
> >> > > > >>> > > > > > > > >> NIC.
> >> > > > >>> > > > > > > > >> > > DHCP is running on an external router.
> >> > > > >>> > > > > > > > >> > >
> >> > > > >>> > > > > > > > >> > > Brown
> >> > > > >>> > > > > > > > >> > >
> >> > > > >>> > > > > > > > >> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote
in
> >> > > message
> >> > > > >>> > > > > > > > >> > >
> > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
> >> > > > >>> > > > > > > > >> > > > For DC communications issues your
first
> >> stop
> >> > > shop
> >> > > > >> to
> >> > > > >>> > > > > > > > >> > > > get hints of what may be amiss is by
> >> running
> >> > on
> >> > > > >> each
> >> > > > >>> DC
> >> > > > >>> > > > > > > > >> > > > netdiag and dcdiag utilities
(depending
> > on
> >> > > > >> versions,
> >> > > > >>> > you
> >> > > > >>> > > > > > > > >> > > > may need to install the optional
support
> >> > tools
> >> > > > >>> > > > > > > > >> > > > from
> >> > > > >>
> >> > > > >>> the
> >> > > > >>> > > > CD).
> >> > > > >>> > > > > > > > >> > > >
> >> > > > >>> > > > > > > > >> > > > Which, if any, of these machines are
> >> > multihomed
> >> > > > >>> > > > > > > > >> > > > (>1
> >> > > > >>> > nic)?
> >> > > > >>> > > > > > > > >> > > >
> >> > > > >>> > > > > > > > >> > > > --
> >> > > > >>> > > > > > > > >> > > > Roger Abell
> >> > > > >>> > > > > > > > >> > > >
> >> > > > >>> > > > > > > > >> > > > "Brown" <fbrown@mta-inc.com> wrote in
> >> message
> >> > > > >>> > > > > > > > >> > > >
> >> news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
> >> > > > >>> > > > > > > > >> > > >> I tried that, but since it is a DC
> >> (backup)
> >> > it
> >> > > > >> will
> >> > > > >>> > not
> >> > > > >>> > > > > allow
> >> > > > >>> > > > > > > > >> > > >> this.
> >> > > > >>> > > > > > > > >> Is
> >> > > > >>> > > > > > > > >> > > >> there any other way to get them to
> >> > > > >>> > > > > > > > >> > > >> shake
> >> > > hands?
> >> > > > >>> > > > > > > > >> > > >> Brown
> >> > > > >>> > > > > > > > >> > > >> "Roger Abell" <mvpNOSpam@asu.edu>
wrote
> > in
> >> > > > >>> > > > > > > > >> > > >> message
> >> > > > >>> > > > > > > > >> > > >>
> >> > > news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
> >> > > > >>> > > > > > > > >> > > >> > did I actually forget to mention
that
> >> you
> >> > > > >>> > > > > > > > >> > > >> > could
> >> > > > >>> try
> >> > > > >>> > > > > > resetting
> >> > > > >>> > > > > > > > >> > > >> > the machine account (in AD Users
and
> >> > Comps)
> >> > > .
> >> > > > >>> > > > > > > > >> > > >> > .
> >> > > > >> .
> >> > > > >>> > > > > > > > >> > > >> >
> >> > > > >>> > > > > > > > >> > > >> > --
> >> > > > >>> > > > > > > > >> > > >> > Roger Abell
> >> > > > >>> > > > > > > > >> > > >> >
> >> > > > >>> > > > > > > > >> > > >> > "Brown" <fbrown@mta-inc.com> wrote
in
> >> > > message
> >> > > > >>> > > > > > > > >> > > >> >
> >> > > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
> >> > > > >>> > > > > > > > >> > > >> >> I am running SBS 2003 Pro (MAIN),
> > with
> >> a
> >> > > > >>> > > > > > > > >> > > >> >> Win2K3
> >> > > > >>> > > > Standard
> >> > > > >>> > > > > > > server
> >> > > > >>> > > > > > > > >> > > >> >> (SERVER02)
> >> > > > >>> > > > > > > > >> > > >> >> which is providing file server and
> >> > > > >>> > > > > > > > >> > > >> >> AD
> >> > > Backup
> >> > > > >>> tasks.
> >> > > > >>> > > > > > > > >> > > >> >> I am getting an error messaage in
> >> > > > >>> > > > > > > > >> > > >> >> the
> >> > > System
> >> > > > >>> Event
> >> > > > >>> > > > > Viewer,
> >> > > > >>> > > > > > > > > source
> >> > > > >>> > > > > > > > >> > > >> > Netlogon:
> >> > > > >>> > > > > > > > >> > > >> >> "The session setup from the
computer
> >> > > SERVER02
> >> > > > >>> > failed
> >> > > > >>> > > to
> >> > > > >>> > > > > > > > >> > authenticate.
> >> > > > >>> > > > > > > > >> > > >> >> The
> >> > > > >>> > > > > > > > >> > > >> >> name(s) of the account(s)
referenced
> > in
> >> > the
> >> > > > >>> > security
> >> > > > >>> > > > > > database
> >> > > > >>> > > > > > > > >> > > >> >> is
> >> > > > >>> > > > > > > > >> > > >> > SERVER02$.
> >> > > > >>> > > > > > > > >> > > >> >> The following error occured:
Access
> >> > > denied."
> >> > > > >>> > > > > > > > >> > > >> >>
> >> > > > >>> > > > > > > > >> > > >> >> What do I need to do to correct
> >> > > > >>> > > > > > > > >> > > >> >> this?
> >> > > > >>> > > > > > > > >> > > >> >>
> >> > > > >>> > > > > > > > >> > > >> >> Brown
> >> > > > >>> > > > > > > > >> > > >> >>
> >> > > > >>> > > > > > > > >> > > >> >>
> >> > > > >>> > > > > > > > >> > > >> >
> >> > > > >>> > > > > > > > >> > > >> >
> >> > > > >>> > > > > > > > >> > > >>
> >> > > > >>> > > > > > > > >> > > >>
> >> > > > >>> > > > > > > > >> > > >
> >> > > > >>> > > > > > > > >> > > >
> >> > > > >>> > > > > > > > >> > >
> >> > > > >>> > > > > > > > >> > >
> >> > > > >>> > > > > > > > >> >
> >> > > > >>> > > > > > > > >> >
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >>
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > > >
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > > >
> >> > > > >>> > > > > > >
> >> > > > >>> > > > > > >
> >> > > > >>> > > > > >
> >> > > > >>> > > > > >
> >> > > > >>> > > > >
> >> > > > >>> > > > >
> >> > > > >>> > > >
> >> > > > >>> > > >
> >> > > > >>> > >
> >> > > > >>> > >
> >> > > > >>> >
> >> > > > >>> >
> >> > > > >>>
> >> > > > >>>
> >> > > > >>
> >> > > > >>
> >> > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Clayton Sutton: "mmc snap-in question"
- Previous message: Brown: "Re: netlogon error"
- In reply to: Roger Abell [MVP]: "Re: netlogon error"
- Next in thread: Roger Abell: "Re: netlogon error"
- Reply: Roger Abell: "Re: netlogon error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
